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b7E 
FD-1057 (Rev. 5-8-10) 
UNCLASSIFIED 
FEDERAL BUREAU OF INVESTIGATION 
Electronic Communication 
Title: (U) Opening EC - City of Chicago (OEMC) Date: 02/15/2013 
Victim. 
b7c 
From: CHICAGO 
CG-CY-2 
b6 


b7c 
pprove 4 bE 


CITY OF CHICAGO - VICTIM; b7E 
Synopsis: (U) Request that captioned matter be opened as full 
investigation and assigned to SA b6 
b7C 
Full Investigation Initiated: 02/15/2013 
Details: 
On 02/11/2013, the following post was made by the twitter handle 
@OpLastResort 
b7E 
"OpLastResort 
\@opLastResort 
Happy #AaronSwartzDay. Details of every security camera in Chicago: 
b7E 


nonymous € atc € atcners... ophas esor 


Reply Retweet Favorite More 


33 
RETWEETS 
10 
FAVORITES 


UNCLASSIFIED 


es ; 


UNCLASSIFIED b7E 


Title: (U) Opening EC - City of Chicago (OEMC) Victim. 


8:33 AM —- 11 Feb 13 

b6 
11 Feb BIC 
@OpLastResort That's Brilliant, that! Bravo. 


Details" 


The referenced spreadsheet has been determined to have been created 


by the Chicago Office of Emergency Management and Communications 


(OBMC). Analysis of the spreadsheet had determined it was last modified 
in Excel on 09/11/2009. The City of Chicago has assessed the risk posed 


by the disclosure of the information in the spreadsheet as low. 


The means by which the spreadsheet was obtained b7E 


is as yet unknown and it is also unknown if other OEMC material has 
been exfiltrated. The laptop computer belonging to the OEMC employee 
who last modified this spreadsheet has been forensically imaged and 


will be reviewed. 


It is requested that captioned matter be opened and assigned to 


writer. 


¢ 


UNCLASSIFIED 


2 


—— : 
b7E 
UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Evidence Log 


FD-1087 (Rev. 5-8-10) 


Event Title: (U) Aquisition of forensic image Date: 02/20/2013 
(E01) of computer hard drive 


b6 
seatted ay: sad 
case [| S*dYCOC8) ows vs ~ sus eer; 2. 


CITY OF CHICAGO -— VICTIM; b7E 


Full Investigation Initiated: 02/15/2013 


Acquired By: salon 02/14/2013 b6 
b7c 
Acquired From: (U) CART re[ sd 


Receipt Given?: No 
Holding Office: CHICAGO 
Details: 


500GB Western Digital hard drive S/N WXD1A71A8938 containing forensic 
image (E01) of computer hard drive assigned tof tommy. sem 
Forensic image created on-scene at OEMC at 1411 W. Madison St, Chicago, 


IL by CART FE 


Item Type Description 

1B CART (U) 500GB Western Digital hard drive S/N WXD1A71A8 938 
containing forensic image (E01) of computer hard drive 
assigned tol (0c) b6 
Acquired On: 02/14/2013 bic 
Located By: SA 

Location Area: 1411 W. Madison St, Chicago, IL 

Specific Location: OEMC 

Device Type: Mass Storage Device 

Number of Devices Collected: 1 


UNCLASSIFIED 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; it and its 
contents are not to be distributed outside your agency. 


b3 


UNCLASSIFIED 


Title: (U) Aguisition of forensic image (E01) of computer hard drive 
assigned to (OEMC) b3 
Re: 02/20/2013 Pe 
b7C 
b7E 
o¢ 
UNCLASSIFIED 


2 


FD-1087 (Rev. 5-8-10) 


[ 


UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Event Title: 


( 
O 


Evidence Log 


EMC file server 


approved By: a/ssa sal 


CITY OF CHICAGO = VICTIM; 


Full Investigation Initiated: 02/15/2013 


Acquired By: sal on 02/19/2013 


Acquired From: 


Receipt Given?: 


Holding Office: 


Details: 


2TB Western Digital hard drive bearing S/N WMAY05245773 containing 


logical image of OEFMC file server. 


Item Type 
1B CART 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; it and its 


No 


CHICAGO 


Description 
(U) 2TB Western Digital hard drive bearing S/N 


WMAY05245773 containing logical image of OEMC file 


server. 
Acquired On: 02/19/2013 

Located By: SA 

Location Area: 1411 W. Madison St, Chicago, IL 
Specific Location: OEMC 

Device Type: Mass Storage Device 

Number of Devices Collected: 1 


UNCLASSIFIED 


contents are not to be distributed outside your agency. 


U) Aquisition of logical image of Date: 02/20/2013 


Forensic image provided to SA 


b3 
b7E 


b6 
b7Cc 


b3 
b7E 


b6 
b7C 


b6 


b7C 


b6 
b7C 


[ 


UNCLASSIFIED 


Title: (U) Aguisition of logical image of OEMC 


file server 


¢ 


UNCLASSIFIED 


2 


b3 
b7E 


b3 
b7E 


—— ; 
b7E 
UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Import Form 


FD-1036 (Rey. 10-16-2009) 


Form Type: EMAIL Date: 03/21/2013 


Title: (U) 2-14-13 email fron[ regarding [ 
b6 


Case ID #: [ (U) UNSUB - SUBJECT; b3 
b7E 


CITY OF CHICAGO - VICTIM; 


b6 


Synopsis: (U) 2-14-13 email from[ regarding 
b7Cc 


advising that [_Jhas no recollection of the spreadsheet in question. 


o¢ 


UNCLASSIFIED 


| amo) (FBI) 
From: Po bs 


Sent: Thursday, February 14, 2013 10:09 AM b7¢c 
To: b7E 
Subject: RE: Camera Information Disclosure Incident Update 

Importance: High 

All, 


| just interviewed| __—| He does not recognize the document at all. He does remember the woman, [ 


He believes she was a City employee when he first began working here at OEMC who resigned to go to Law 


School. He at one time assisted ISCN to identify potential sites for new POD Cameras but that was the extent of his b6é 

involvement with the Camera Program. That was a 90 day program about 5+ years ago to the best of his recollection. Die 

R/ 

nono Original Message----- 

From|_Imailto be 

Sent: Thursday, February 14, 2013 8:32 AM b7C 
b7E 

To 

Subject: Re: Camera Information Disclosure Incident Update 
b6 
b7C 
b7E 

Sent: Wed Feb 13 21:36:46 2013 

Subject: Re: Camera Information Disclosure Incident Update 

That may be n OEM. | can check tomorrow. The today date was probably as you surmised. We saved it to let b6 
b7C 


drill into the properties. 


n---- Original Message ----- 


Sent: Wednesday, February 13, 2013 08:25 PM bic 
TS b7E 


Subject: RE: Camera Information Disclosure Incident Update 


[SSS—S_isusst pointed out to me that | think we've all been looking at a slightly modified version of the b6é 
spreadsheet. Modified in that the last modified property in Excel reflects that the last modified date had today's date b7Cc 
which is probably the result of opening it on download and then saving it someplace. [indicated he downloaded biE 


—— that the last modified date was in 2009 with a last modified by user 


LJ b6 


heer ee een Eee Aen eae b7Cc 


FBI Chicago 


[| 


From 

Sent: Wednesday, February 13, 2013 6:57 PM b6 
To: b7C 
Subject: Camera Information Disclosure Incident Update 


All - below are my raw notes as to what we know and what we're doing. Please add/modify/correct as appropriate 


Bridge Info 

888-557-8511 code] _—_—| bTE 
or 

215-446-3649 


concern 


How did this file get loose? 

Was it the result of a breach? Is there an active breach in our environment? 

Was it simply sloppy handling / leakage? 

Can the data in the file be leveraged directly, indirectly or as part of wider information gathering activities? 
What is our current exposure? 


what's known 


1 - file "City and Sister agency camera List.xls" was released on twitter earlier today (oplastresort) 

2 - file contains an inventory of all (?) security cameras within the city 

3 - it appears that all of the data within the file is related to the physical attributes of the cameras and that no network 
information is included b7E 


4 - overall exposure related to file disclosure appears to be low at this time 

5 - metadata on file shows the following 

Author{__ 

Last modified / CPD 

Created: 19 Jan 2006 b6 
possible ID b7C 
6 - Unisys has created an “action team" with separate bridge number to coordinate their activities - number will be 

shared once | get it. 


next steps 


b6 


b7C 
b7E 

[| b6 
City of Chicago, Department of Innovation and Technology ae 


This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain 
legally privileged and/or confidential information. If you are not the intended recipient of this e-mail (or the person 
responsible for delivering this document to the intended recipient), you are hereby notified that any dissemination, 
distribution, printing or copying of this e-mail, and any attachment thereto, is strictly prohibited. If you have received 
this e-mail in error, please respond to the individual sending the message, and permanently delete the original and any 
copy of any e-mail and printout thereof. 

This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain 
legally privileged and/or confidential information. If you are not the intended recipient of this e-mail (or the person 
responsible for delivering this document to the intended recipient), you are hereby notified that any dissemination, 
distribution, printing or copying of this e-mail, and any attachment thereto, is strictly prohibited. If you have received 
this e-mail in error, please respond to the individual sending the message, and permanently delete the original and any 
copy of any e-mail and printout thereof. 


Do es 
b7E 
FD-302 (Rev. 5-8-10) -l of 1- 


FEDERAL BUREAU OF INVESTIGATION 


Date of entry 03/21/2013 


On 02/15/2013, Federal Bureau of Investigation (FBI) Special agent[_| b6 
b7c 


[twrriter) conducted a preliminary review of evidence item 1Bl1, 
a 500GB Western Digital hard drive bearing S/N WXD1A71A8938 containing a 


forensic image of the computer hard drive assigned to City of Chicago 
Office of Emergency Management & Communications employee ee | 


b6 
b7C 
b7E 


Investigation on 02/15/2013 Chicago, Illinois, United States (In Person) 


File # Date drafted 03/21/2013 b3 
= b6 
by SA | b7Cc 
b7E 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; it and its contents are not 


to be distributed outside your agency. 


LE 


FD-302 (Rev. 5-8-10) “Loft 4> 


FEDERAL BUREAU OF INVESTIGATION 
Date of entry 03/21/2013 
From 02/20/2013 = 02/21/2013, Federal Bureau of Investigation (FBI) 
Special Agent (writer) conducted a preliminary review of 


vidence item 1B2, a 2TB Western Digital hard drive bearing S/N 


WMAY05245773 containing a logical copy of the City of Chicago 0 
(OEMC) file server. 


ffice of 


Emergency Management & Communications 


Investigation on 02/20/2013 a Chicago, Illinois, United States (In Person) 
03/21/2013 


ce Date drafted 
by SA | | 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; it and its contents are not 


to be distributed outside your agency. 


b3 
b7E 


b6 
b7C 


b7E 


b7E 


b3 
b6 
b7C 
b7E 


b7E 
FD-302a (Rev. 05-08-10) 


fd 


Preliminary review of 1B2 (Logical copy of 
Continuation of FD-302 of CEMC file server) On 02/20/2013 


page 4 0f 4 


b7E 


b7E 
| 7 The analysis results have been included as a 1A 


package. 


On 02/21/2013, writer alerted City of Chicago OEMC personnel 
regarding the identified malicious files contained on the server so 
that appropriate remediation efforts could be made. 


Physical 


Created From: 


Package: 
Stored Location: 
Summary: 


Acquired By: 
Acquired On: 
Acquired From: 
Attachment: 


UNCLASSIFIED 


1A/1C Cover Sheet for Serial 


Export 


(U) CD-R containing 
nalysis results 

A 

0013-02-21 

U) malware analysis 


m~ NY WDM 


U) CD-R containing 
malware 


@ 


nalysis 


b3 
bT7E 


b6 
b7C 
b7E 


b3 
bTE 


FD-302 (Rev. 5-8-10) =o of lis 


FEDERAL BUREAU OF INVESTIGATION 


Date of entry 03/21/2013 


On 02/19/2013, Federal Bureau of Investigation (FBI) Special Agent [| 


(writer) and RCFL Forensic Examiner [met with 
at the Chicago Office of Emergency Management & 


Communications (OEMC) located at 1411 W. Madison St, Chicago, IL. The ae 
purpose of the meeting was to retrieve a logical copy of the OEMC file 
server having the designation OEMC-FS0O1. The copy of the file server had 
been initiated on 02/15/2013 by FE 
FE [__retrievea the logical copy which had been stored to a 2TB 
Western Digital hard drive bearing S/N WMAY05245773 and turned it over to . 


writer. Writer checked the hard drive into evidence as item 1B2. 


Investigation on 02/19/2013 a Chicago, Illinois, United States (In Person) 


File # | | Date drafted 03/21/2013 b3 

b6 
byes | | b7C 
This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; it and its contents are not bTE 
to be distributed outside your agency. 


FD-941 (2-26-01) 


CONSENT TO SEARCH COMPUTER(S) 


b6 
: b7c 
I, . have been asked by Special Agents of the 
Federal Bureau of Investigation (FBI) to permit a complete search by the FBI or its designees of any and all computers, 
any electronic and/or optical data storage and/or retrieval system or medium, and any related computer peripherals, 
described below: 
HP PROLIANT BL S80, SES2ZA0Z% (tsbeld OFnc- FS OL) 
CPU Make. Mode] & Serial Number (if ee 
Storage or Retrieval Media, Computer Peripherals 
and located at /4yy L) HAD Sens hy Ao Le . which I own, possess. 


control, and/or have access to, for any evidence of a crime or other violation of the law. The required passwords, logins, 


and/or specific directions for computer entry are as follows: _ 


I have been advised of my right to refuse to consent to this search, and I give permission for this search. freely 
and voluntarily, and not as the result of threats or promises of any kind. 


I authorize those Agents to take any evidence discovered during this search, together with the medium in/on which 


it is stored. and any associated data, hardware, software and c 


b6 
=F er a b7C 
me SS 
: vw) iP 
Date 
b6 
b7C 


Printed Fu ame ¢ riness 


VL DE DID Re eagen 


Location 


Po bs 
b7E 
FD-302 (Rev. 5-8-10) -l of 1- 


FEDERAL BUREAU OF INVESTIGATION 


Date of entry 03/20/2013 


Office of Emergency Management and Communications (OEMC), located at 1411 
W. Madison St, Chicago, IL, met with Federal Bureau of Investigation (FBI) b6 


Special agent sd (writer) at the OEMC office and completed a b7c 


consent to search computer form for a Panasonic CF-F9 laptop computer 


assigned to OEMC employee [was present at the time and 
then ae | his laptop computer to writer and RCFL Forensic Examiner (FE) 


FE [| proceeded to create a forensic image of the laptop computer's 
hard drive on-scene storing the image onto a 500GB Western Digital hard 
drive bearing S/N WXD1A71A8938. At the conclusion of the imaging process, b6 
FEL___] turned the 500GB Western Digital hard drive bearing S/N b7Cc 
WXD1A71A8938 over to writer and returned the laptop computer to 


Writer checked the 500GB Western Digital hard drive bearing S/N 
WXD1A71A8938 into evidence as evidence item 1Bl. 


Investigation on 02/14/2013 a Chicago, Illinois, United States (In Person) 


—s == b6 


: ‘ : : : . . : ; b7E 
This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; it and its contents are not 


to be distributed outside your agency. 


FD-941 (2-26-01) 


CONSENT TO SEARCH COMPUTER(S) 


b6 
b7C 


I , have been asked by Special Agents of the 
Federal Bureau of Investigation (FBI) to permit a complete search by the FBI or its designees of any and all computers. 


any electronic and/or optical data storage and/or retrieval system or medium, and any related computer peripherals, 


described below: : b6 
Pawhsouic. CE-FA | uphu Cy pute Asorentd HO fee 
CPU Make. Model & Serial Number (if available) 


Storage or Retrieval Media, Computer Peripherals 


andlocatedat_ OEAC ¢ Le ly Madiaun St, C yee, TL _ . which I own. passess. 


control, and/or have access to, for any evidence of a crime or other violation of the law. The required passwords, logins, 


and/or specific directions for computer entry are as follows: 


I have been advised of my right to refuse to consent to this search. and I give permission for this search. freely 


and voluntarily. and not as the result of threats or promises of any kind 


I authorize those Agents to take any evidence discovered during this search, together with the medium in/on which 


c 
% 


it is stored, and any associated data. hardware, software and computer peripherals. 


Signature 


Date 
21/4 i? “es 
Date Signature of Witnes Pue 


FAT 64 
Printed Full Name oD Witness 
PAE We Melrgr ST Chee, DC 


Location 


Do b3 
b7E 
FD-302 (Rev. 5-8-10) -l of 1- 


FEDERAL BUREAU OF INVESTIGATION 


Date of entry 03/20/2013 


On 02/14/2013, Federal Bureau of Investigation (FBI) Special Agent b6 
: spot b7Cc 

(writer) utilized 
b7E 


b7E 


Investigation on United States (, Other (Internet) ) 
03/20/2013 b3 


Fite +L—_] Date drafted 
b6 


by sal | b7Cc 
b7E 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; it and its contents are not 


02/14/2013 4 Chicago, Illinois, 


to be distributed outside your agency. 


CJ bs 


b7E 
FD-302 (Rev. 5-8-10) -l of 2- 


FEDERAL BUREAU OF INVESTIGATION 


Date of entry 03/20/2013 


On 02/13/2013, Federal Bureau of Investigation (FBI) Special Agent ———] 
[ (writer) participated in a telephone conference call with the b6 
following individuals in reference to the unauthorized posting of a City of b7c 
Chicago spreadsheet on the Internet via twitter: 


City of Chicago 
City of Chicago 

City of Chicago Office of Emergency ee 
Management (OEMC) 


b7c 


Technology, Chicago Police/ OEMC 


The above individuals were aware of the identity of writer and the 
purpose of the call and provided the following information: 


The spreadsheet "City and Sister agency camera List.xls" contains 
legitimate information regarding City of Chicago's camera systems. The 


source from which the spreadsheet was obtained and how it was obtained are 
not known. 


b7E 


[___iJassessed that the risk posed to the City of Chicago's network b6 
based only off of the information in the spreadsheet to be low, but that b7Cc 


Chicago IT personnel will begin searching email and file servers to attempt 
to find where this spreadsheet resides on the city's computer systems. 


Following the conference call, the participants sent a series of e-mail 


messages providing ongoing updates of efforts to ascertain where on the 
City of Chicago computer systems that the spreadsheet existed and how it 
could have been obtained. These e-mail messages reflected the following 


additional information: 


Investigation on 02/13/2013 » Chicago, Illinois, United States (Phone, Email) 


rieeL___ Datedrated 03/20/2013 > 
by sa | b7c 


b7E 
This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; it and its contents are not 


to be distributed outside your agency. 


[od 


FD-302a (Rev. 05-08-10) b3 
—t bs 

= : ; b7C 

Conference call and email communication b7E 


Continuation of FD-302 of With et al ,On 92/13/2013 page 2 Of 2 


The information reflected in the spreadsheet is not current beyond 2009 
and much of the information is now substantially outdated. The spreadsheet 
appears to have originated at OEMC. The version of the spreadsheet 


downloaded b b6 
had a "last saved by" property value of OEMC has a b7c 
b7E 


| lamp) (FBI) 


From: 

Sent: Wednesday, February 13, 2013 7:13 PM b6 
To: b7C 
Cec: 

Subject: possible need for RCFL resources tomorrow 


= 


FYI that the City of Chicago has had a potential data breach (a spreadsheet listing information for the city's surveillance b6 
cameras from a number of different departments and agencies was posted online by hacktivists). We don't have a b7Cc 
starting point as of yet in terms of where this spreadsheet was pulled from, but once we do there may be a need to do 

some on scene imaging of some boxes. No real idea what it would actually be at this point, but just wanted to give you 

the heads up that we may be needing your services tomorrow. 


sad bs 


FBI Chicago b7c 
fd 


PE TTR EN ETN eae errr errr ere ever ees PEN PETES ETS VETTES VEES EHEC PUCHSNSECTEN CUT TUETOEET SENSE SCESVEET SCE TETTSENVTTET TSE TPCT TST SeeeT Ceres pers aCe TC aT 
Sent: Wednesday, February 13, 2013 6:12 PM b7C 
H i 7 : 
oO: 
To: 
= 
ubject: status update 
: 


Just concluded call. We are going to have a follow up in 1 hr to report any updates. Current situation is as follows: 


- Spreadsheet contains legitimate information. The source from which the spreadsheet was obtained and how it was 
obtained are still unknown. 


b7E 


of the information in the spreadsheet as low. 


- Chicago IT personnel are going to begin searching email and file servers to attempt to find where the exfiltrated 
spreadsheet resides on Chicago's systems to give a starting point from an investigative perspective. 


- Author of spreadsheet appears to be a 


nd spreadsheet was initially created in 2006 per the file 
roperties. Some confusion at this point wh as 


is and what her role with city is/was. There is a b6 
nd city is making inquiries to ascertain if this is the same b7Cc 


person. 


- Advised City of Chicago personnel that the FBI would be opening an investigation into this matter. 


conference call which had personnel from bE 
City of Chicago CIO's office, OEMC, and CPD on the call. 


- Twill emaill___ ho let him know that there may be a need for on-site imaging tomorrow depending on what wefindin p¢ 
terms of where this spreadsheet was pulled from. bic 


FBI Chi b6 
b7¢ 
b7E 


| [(RMD) (FBI) 
From: Lo ae 


Sent: Wednesday, February 13, 2013 8:40 PM 
To: 
Subject: RE: 


Since the spreadsheet appears to contain information reflecting updates as recent as 2009 (from what I can tell) 
somebody else was obviously working on this after she left. Is it possible to contact everyone that works at OEMC to see 
if anyone knows about this spreadsheet? 


sf] bs 


FBI = b7c 
b7E 


From: 


Sent:_Wednesday, February 13, 2013 7:37 PM 
To: b6 
Subject: b7C 


Started in dept. 005 OBM in August 42003] then she was appointed in March 01, 2005 to 
dept. 058. She resigned in March 15, 2006. 


| believe 058 is the OEMC. 


[| 


Department of Innovation and Technology 


City of Chicago 
b6 


b7C 


This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain 
legally privileged and/or confidential information. If you are not the intended recipient of this e-mail (or the person 
responsible for delivering this document to the intended recipient), you are hereby notified that any dissemination, 
distribution, printing or copying of this e-mail, and any attachment thereto, is strictly prohibited. If you have received this 
e-mail in error, please respond to the individual sending the message, and permanently delete the original and any copy 
of any e-mail and printout thereof. 


| (emp) (FBI) 
From: [ a 


Sent: Wednesday, February 13, 2013 9:25 PM b7c 
To: b7E 
Subject: RE: Camera Information Disclosure Incident Update 


[susstt pointed out to me that | think we've all been looking at a slightly modified version of the 
spreadsheet. Modified in that the last modified property in Excel reflects that the last modified date had today's date b6 
which is probably the result of opening it on download and then saving it someplace. indicated he downloaded b7c 

and that the last modified date was in 2009 with a last modified by user b7E 


SA ee 
FBI Chicago b7c 
b7E 


Sent: Wednesday, February 13, 2013 6:57 PM b6 


Ue bIC 
Subject: Camera Information Disclosure Incident Update 


All - below are my raw notes as to what we know and what we're doing. Please add/modify/correct as appropriate 


Bridge Info 

888-557-8511 code{__ b7E 
or 

215-446-3649 


concern 


How did this file get loose? 

Was it the result of a breach? Is there an active breach in our environment? 

Was it simply sloppy handling / leakage? 

Can the data in the file be leveraged directly, indirectly or as part of wider information gathering activities? 
What is our current exposure? 


what's known 


1 - file "City and Sister agency camera List.xls" was released on twitter earlier today (oplastresort) 

2 - file contains an inventory of all (?) security cameras within the city 

3 - it appears that all of the data within the file is related to the physical attributes of the cameras and that no network 
information is included b7E 


4 - overall exposure related to file disclosure appears to be low at this time 


1 


5 - metadata on file shows the following 

Last modified / CPD b7c 
Created: 19 Jan 2006 

possible ID 

6 - Unisys has created an “action team" with separate bridge number to coordinate their activities - number will be 

shared once | get it. 


next steps 


b6 
b7C 
b7E 


City of Chicago, Department of Innovation and Technology bé 


b7c 


This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain 
legally privileged and/or confidential information. If you are not the intended recipient of this e-mail (or the person 
responsible for delivering this document to the intended recipient), you are hereby notified that any dissemination, 
distribution, printing or copying of this e-mail, and any attachment thereto, is strictly prohibited. If you have received 
this e-mail in error, please respond to the individual sending the message, and permanently delete the original and any 
copy of any e-mail and printout thereof. 


| Rup) (FBI) 
b6 
From: Ld BIC 
Sent: Wednesday, February 13, 2013 9:50 PM 
To: | 


Subject: update #2 


- next status call to be at 815 am Thursday morning 


- Current belief is that this document was created by an OEMC employee. City has confirmed the information in 
spreadsheet is only as recent as 2009 and some of it is substantially outdated now. 


- Initial version of the spreadsheet forwarded by City of Chicago personnel to FBI had a last modified date of today 
(reflecting someone from City opening and doing a save as with the file most likely prior to forwarding it) which changed 
the last modified by user in Excel. 


[sstst~s~—sSCSC=sadvised me that he directly downloaded the file nd the last modified bé6 
date was in 2009 with a last modified by user . OEMC has advised this is likely who I believe is a b7¢c 
[fet OEMC. OEMC is going to confirm in the morning witht b7E 


- City of Chicago in conjunction with Unisys (their contractor) is doing mass search of email servers and some file servers 
for references to the file name of the spreadsheet. 


- City is reviewing all workstations at OEMC to see if the spreadsheet is present on any of them. 


-Ispoke with| __] regarding possible need for on-site imaging tomorrow and he advised he'd have a resource b6 
ready for us if need be. b7Cc 
b7E 


b6 
b7Cc 
b7E 


RM D) (FBI) 


Sent: Wednesday, February 13, 2013 10:02 PM b7c 

To: 

Subject: Re: update #2 
CP - 

From 

To: 


Sent: Wed Feb 13 21:56:03 2013 
Subject: Re: update #2 


Thanks for doing thisp b6 
b7C 


Squad CY-2 
From: b6 
To: b7c 


Sent: Wed Feb 13 21:49:47 2013 
Subject: update #2 


- next status call to be at 815 am Thursday morning 


- Current belief is that this document was created by an OEMC employee. City has confirmed the information in 
spreadsheet is only as recent as 2009 and some of it is substantially outdated now. 


- Initial version of the spreadsheet forwarded by City of Chicago personnel to FBI had a last modified date of today 


(reflecting someone from City opening and doing a save as with the file most likely prior to forwarding it) which changed 
the last modified by user in Excel. 


[advised me that he directly downloaded the fil and the last modified 6 
date was in 2009 with a last modified by vse] orc has advi is is likel who I believe is a b7C 
[Ft OEMC. OEMC is going to confirm orning with bTE 


- City of Chicago in conjunction with Unisys (their contractor) is doing mass search of email servers and some file servers 
for references to the file name of the spreadsheet. 


- City is reviewing all workstations at OEMC to see if the spreadsheet is present on any of them 


bé 
- I spoke with __|regarding possible need for on-site imaging tomorrow and he advised he'd have a resource b7¢c 
ready for us if need be. b7E 


[oo 


si[_ bé 
b7C 


FBI Chicago 
sd ~ 


| |cemp) (FBI) 


From: Ce ——— Ee 


Sent: Wednesday, February 13, 2013 6:36 PM sl 
Subject: RE: Tweet 
author=[__ b6 
last saved by = CPD b7c 
company = OEMC 
City of Chicago, Department of Innovation and Technology 
b6 
b7C 
From] | 
Sent: Wednesday, February 13, 2013 5:28 PM 
To; 
Subject: RE: Tweet b6 
b7C 
please join the following bridge line now to discuss this event bvE 
888-557-8511 code[ | 
or 
215-446-3649 
City of Chicago, Department of Innovation and Technology a 


From 


Sent: Wednesday, February 13, 2013 4:53 PM b6 


b7E 


Subject: Fw: Tweet 


Follow up with the attachment referenced in prior email. 


Sent: Wed Feb 13 17:48:28 2013 ae 
Subject: RE: Tweet 
(lam attaching the actual spreadsheet that the URL downloads, you can see the sensitivity) 

: : b6 
Public Safety Information Technology — 
Chicago Police/ OEMC 
24 Hr Help Desk: 312-744-DATA 
www.ChicagoPolice.org<http://www.chicagopolice.org/> 
This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain 
legally privileged and/or confidential information. If you are not the intended recipient of this e-mail (or the person 
responsible for delivering this document to the intended recipient), you are hereby notified that any dissemination, 
distribution, printing or copying of this e-mail, and any attachment thereto, is strictly prohibited. If you have received 
this e-mail in error, please respond to the individual sending the message, and permanently delete the original and any 
copy of any e-mail and printout thereof. 

b6 
b7C 
b7E 


Subject: RE: Tweet 


Commande —_| 


This is something the Criminal Cyber squad may be able to assist with. | have CC’d them in the event they are not in the 
office. 


[_} Commande _ is with Chicago PD and was our POC for thf Is this something youguy 6 
b7C 


can track down? 
b7E 


Thanks 


Sent: Wednesday, February 13, : 


tol] bs 
Subject: FW: Tweet b7C 


[ 


Is this something you can assist with? 


Thx 
b6 
b7C 


Public Safety Information Technology 
Chicago Police/ OEMC 


ee 


24 Hr Help Desk: 312-744-DATA 


b6 
b7C 


www.ChicagoPolice.org<http://www.chicagopolice.org/> 


This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain 
legally privileged and/or confidential information. If you are not the intended recipient of this e-mail (or the person 
responsible for delivering this document to the intended recipient), you are hereby notified that any dissemination, 
distribution, printing or copying of this e-mail, and any attachment thereto, is strictly prohibited. If you have received 
this e-mail in error, please respond to the individual sending the message, and permanently delete the original and any 
copy of any e-mail and printout thereof. 


From{__ 


Sent: Wednesday, February 13, 2013 4:31 PM b6 
Subject: Tweet 


ae 


| received information from a reliable source concerning the below tweet and the possible compromise of camera 
system. Sending it your way for review to determine the validity. 


“OpLastResort 

@OpLastResort 

Ha #AaronSwartzDay. Details of every security camera in Chicago: 

Watch The Watchers... #opLastResort Reply Retweet Favorite More 

33 

RETWEETS b6 
10 b7c 
FAVORITES b7E 


8:33 AM - 11 Feb 13 
11 Feb 


@OpLastResort That's Brilliant, that! Bravo. 
Details" 


b6 
b7C 
b7E 


Bureau of Patrol 


This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain 
legally privileged and/or confidential information. If you are not the intended recipient of this e-mail (or the person 
responsible for delivering this document to the intended recipient), you are hereby notified that any dissemination, 
distribution, printing or copying of this e-mail, and any attachment thereto, is strictly prohibited. If you have received 
this e-mail in error, please respond to the individual sending the message, and permanently delete the original and any 
copy of any e-mail and printout thereof. 


| RMD) (FBI) 


From: 

Sent: Wednesday, February 13, 2013 6:51 PM 
To: 

Subject: FW: Update / Camera Excel file 


b6 
b7C 


From 


Sent: Wednesday, February 13, 2013 5:49 PM 


Subject: Update / Camera Excel file ee 


FYI, hs 


Author: 

Last modified / CPD 
Created: 19 Jan 2006 
Time: 17:11:46pm 


Currently comparing this file to our Camera tracker program. 
Respectfully 
Operations Center 


b6 
Lt. b7¢c 


This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may 
contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail (or 
the person responsible for delivering this document to the intended recipient), you are hereby notified that any 
dissemination, distribution, printing or copying of this e-mail, and any attachment thereto, is strictly prohibited. 
If you have received this e-mail in error, please respond to the individual sending the message, and permanently 
delete the original and any copy of any e-mail and printout thereof. 


| lew) (FBI) 


b6 
Sent: Wednesday, February 13, 2013 6:53 PM 
To: 
Subject: RE: Update / Camera Excel file 
author =[—____] bs 
last saved by = CPD bic 


company = OEMC 


b6 
b7Cc 


City of Chicago, Department of Innovation and Technology 


Sent: Wednesday, February 13, 2013 5:51 PM 


To: b6 


Subject: FW: Update / Camera Excel file as 


From 

Sent: Wednesday, February 13, 2013 5:49 PM 

Subject: Update / Camera Excel file 

FYI, 

Author[—___] bs 
Last modified / CPD b7c 
Created: 19 Jan 2006 

Time: 17:11:46pm 

Currently comparing this file to our Camera tracker program. 

Respectfully 


Operations Center 


Lt b6 
b7C 


This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain 
legally privileged and/or confidential information. If you are not the intended recipient of this e-mail (or the person 
responsible for delivering this document to the intended recipient), you are hereby notified that any dissemination, 
distribution, printing or copying of this e-mail, and any attachment thereto, is strictly prohibited. If you have received 
this e-mail in error, please respond to the individual sending the message, and permanently delete the original 

and any copy of any e-mail and printout thereof. 


| GD) Pe 
PE 


From: 

Sent: Wednesday, February 13, 2013 7:57 PM 

To: [eee 
Subject: Camera Information Disclosure Incident Update 


All - below are my raw notes as to what we know and what we're doing. Please add/modify/correct as appropriate 


Bridge Info 


888-557-8511 code | b7E 
or 


215-446-3649 
concern 


How did this file get loose? 

Was it the result of a breach? Is there an active breach in our environment? 

Was it simply sloppy handling / leakage? 

Can the data in the file be leveraged directly, indirectly or as part of wider information gathering activities? 
What is our current exposure? 


what's known 
1 - file "City and Sister agency camera List.xls" was released on twitter earlier today (oplastresort) 


2 - file contains an inventory of all (?) security cameras within the city 
3 - it appears that all of the data within the file is related to the physical attributes of the cameras and that no network 


information is included b7E 
4 - overall exposure related to file disclosure appears to be low at this time 
5 - metadata on file shows the following 
Author: 
Last modified / CPD b6 
Created: 19 Jan 2006 Pe 
possible DT] 
6 - Unisys has created an “action team" with separate bridge number to coordinate their activities - number will be 
shared once | get it. 
next steps 
b6 
b7C 


b7E 


City of Chicago, Department of Innovation and Technology 


This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain 
legally privileged and/or confidential information. If you are not the intended recipient of this e-mail (or the person 
responsible for delivering this document to the intended recipient), you are hereby notified that any dissemination, 
distribution, printing or copying of this e-mail, and any attachment thereto, is strictly prohibited. If you have received 


this e-mail in error, please respond to the individual sending the message, and permanently delete the original 
and any copy of any e-mail and printout thereof. 


b6 
b7C 


| RMD) (FBI) fe 


b7Cc 
From: 
Sent: Wednesday, February 13, 2013 8:23 PM 
To: 
Cec: 
Subject: Re: Camera Information Disclosure Incident Update 


Sent from my iPad 


b7C 


> All - below are my raw notes as to what we know and what we're doing. 

> Please add/modify/correct as appropriate 

> 

> 

> Bridge Info 

> 888-557-8511 codef{ | b7E 
>or 

> 215-446-3649 

> 

> concern 

> 

> How did this file get loose? 

> Was it the result of a breach? Is there an active breach in our environment? 
> Was it simply sloppy handling / leakage? 

> Can the data in the file be leveraged directly, indirectly or as part of wider information gathering activities? 
> What is our current exposure? 

> 

> what's known 

> 

>1- file "City and Sister agency camera List.xls" was released on 

> twitter earlier today (oplastresort) 

> 2 - file contains an inventory of all (?) security cameras within the 


> city 

> 3 - it appears that all of the data within the file is related to the physical attributes of the cameras and that no network 
information is include b7E 
> 

> 4 - overall exposure related to file disclosure appears to be low at 

> this time 

> 5 - metadata on file shows the following 

> Author b6 
> Last moditie b7Cc 


> Created: 19 Jan 2006 

> possible ID = 

> 6 - Unisys has created an "action team" with separate bridge number to coordinate their activities - number will be 
shared once | get it. 

> 


> next steps 


b6 
b7C 
b7E 


> 
> 
> 
> 
> 
> 
| | b6é 


> City of Chicago, Department of Innovation and Technology Bis 


This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain 
legally privileged and/or confidential information. If you are not the intended recipient of this e-mail (or the person 
responsible for delivering this document to the intended recipient), you are hereby notified that any dissemination, 
distribution, printing or copying of this e-mail, and any attachment thereto, is strictly prohibited. If you have received 
this e-mail in error, please respond to the individual sending the message, and permanently delete the original and any 
copy of any e-mail and printout thereof. 


| lamp) (FBI) 


From: | b6 
Sent: Wednesday, February 13, 2013 8:32 PM b7¢c 
To: 

Ce: 
Subject: 


All, 


| just spoke a 3 This is certainly a dated document{——“—*~s*™*™*~*~”~”C”C”C”C~SYS 
b6 


b7C 
Sent from my iPad b7E 


> All - below are my raw notes as to what we know and what we're doing. 

> Please add/modify/correct as appropriate 

> 

> 

> Bridge Info 

> 888-557-8511 codef | b7E 
>or 

> 215-446-3649 

> 

> concern 

> 

> How did this file get loose? 

> Was it the result of a breach? Is there an active breach in our environment? 

> Was it simply sloppy handling / leakage? 

> Can the data in the file be leveraged directly, indirectly or as part of wider information gathering activities? 

> What is our current exposure? 

> 

> what's known 

> 

> 1- file "City and Sister agency camera List.xls" was released on 

> twitter earlier today (oplastresort) 

> 2 - file contains an inventory of all (?) security cameras within the 

> city 

> 3 - it appears that all of the data within the file is related to the physical attributes of the cameras and that no network 
information is included b7E 
> 

> 4 - overall exposure related to file disclosure appears to be low at 

> this time 

> 5 - metadata on file shows the following 

> oe  ———— b6 
> Last modified / CPD b7c 
> Created: 19 Jan 2006 

> possible ID 


> 6 - Unisys has created an "action team" with separate bridge number to coordinate their activities - number will be 
shared once | get it. 


> 

> next steps 

> 
b6 
b7C 
b7E 

> 

> 

> 

> 

> 
b6 
b7C 


> City of Chicago, Department of Innovation and Technology 
> 


This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain 
legally privileged and/or confidential information. If you are not the intended recipient of this e-mail (or the person 
responsible for delivering this document to the intended recipient), you are hereby notified that any dissemination, 
distribution, printing or copying of this e-mail, and any attachment thereto, is strictly prohibited. If you have received 
this e-mail in error, please respond to the individual sending the message, and permanently delete the original and any 
copy of any e-mail and printout thereof. 


| [RMD) (FBI) 


From: [i ee 


Sent: Wednesday, February 13, 2013 8:38 PM 
To: 
Subject: 


Started in dept. 005 OBM in August 42003[ then she was appointed in March 01, 2005 to 
ept. 058. She resigned in March 15, 2006. 


| believe 058 is the OEMC. 


@partment of Innovation and Technology 
City of Chicago 


This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may 
contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail (or 
the person responsible for delivering this document to the intended recipient), you are hereby notified that any 
dissemination, distribution, printing or copying of this e-mail, and any attachment thereto, is strictly prohibited. 
If you have received this e-mail in error, please respond to the individual sending the message, and permanently 
delete the original and any copy of any e-mail and printout thereof. 


b6 
b7C 


b6 
b7Cc 


b6 
b7C 


| emp) (BD 
ees! 


From: 

Sent: Wednesday, February 13, 2013 8:50 PM 
To: 

Subject: Re: 


[Es] 


[was able to get the name of the persan who modified the spreadsheet in ‘OS. i will see if he has if with him 
unless you already have it. 


Sent:. ry 13, 2013 08:45 PM Eastern Standard Time 
To: 
Subject: FW 


FYI below. 


a 
FBI Chicago 


From 


Sent: Wednesday, February 13, 2013 7:40 PM 
To: 
Subject: 7 1 


Since the spreadsheet appears to contain information reflecting updates as recent as 2009 (from what I can tell) 
somebody else was obviously working on this after she left. Is it possible to contact everyone that works at OEMC to see 
if anyone knows about this spreadsheet? 


SA 


SENSES SSS SS SS SSS ES SSS SES ESS SSS SESSLER CER CEREAL EERE ERE ERE ERE ER EEE ENE By 


Se . . 

To 

Subject: 

Started in dept. 005 OBM in August 42003[ ithe she was appointed in March 01, 2005 to 
eee 058. She resigned in March 15, 2006. 


| believe 058 is the OEMC. 


b6 
b7C 
b7E 


b6 
b7C 


b6 
b7C 
b7E 


b6 
b7C 


b6 
b7C 
b7E 


b6 
b7C 


b6 
b7C 


b6 
b7C 


Department of Innovation and Technology 

City of Chicago 
b6 
b7C 


This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain 
legally privileged and/or confidential information. If you are not the intended recipient of this e-mail (or the person 
responsible for delivering this document to the intended recipient), you are hereby notified that any dissemination, 
distribution, printing or copying of this e-mail, and any attachment thereto, is strictly prohibited. If you have received this 
e-mail in error, please respond to the individual sending the message, and permanently delete the original and any copy 
of any e-mail and printout thereof. 


All e-mail to/from this account is subject to official review and is for official use only. Action may be taken in 
response to any inappropriate ( a | e-mail may contain information bIE 
that is privileged, law enforcement sensitive, or subject to other disclosure limitations. Such information is 

loaned to you and should not be further disseminated without the permission of If you have 


received this e-mail in error, do not keep, use, disclose, or copy it; notify the sender immediately and delete 
it. 


| (emp) (FBI) 


From: 

Sent: Wednesday, February 13, 2013 8:51 PM 
To: 

Subject: Ri 


Nobody remembered the mame but not many folks here frorn 06. The purge pretty well cleaned thern all out. 


Started in dept. 005 OBM in August 4,2003 [I then she was appointed in March 01, 2005 to 
[dept 058. She resigned in March 15, 2006. 


| believe 058 is the OEMC. 


Pa 


Department of Innovation and Technology 
City of Chicago 


This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may 
contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail (or 
the person responsible for delivering this document to the intended recipient), you are hereby notified that any 
dissemination, distribution, printing or copying of this e-mail, and any attachment thereto, is strictly prohibited. 
If you have received this e-mail in error, please respond to the individual sending the message, and permanently 
delete the original and any copy of any e-mail and printout thereof. 


b6 
b7C 


b6 
b7C 
b7E 


b6 


b7C 


b6 
b7C 


| RMD) (FBI) 
Sent: Wednesday, February 13, 2013 8:55 PM b7c 


To: 
Subject: Re 


Wre had all the Ops people review Ht and no ore recognized it. It would make sense that tt would be useful in the OC but 
again, nolmany peanle around even fram OS. Ops reviewer! and like | saici earlier, some of it looked familiar to some but 
none recognized it in total. Phe OC logo has not been used for at least S yeras according to Ons. We'll circulate some 
more tomorrow and see if anyane else may know something. 


From{_ bé 


Sent:_Wednesday, February 13, 2013 07:40 PM b7Cc 
To: b7E 
Subject: RE: 


Since the spreadsheet appears to contain information reflecting updates as recent as 2009 (from what I can tell) 
somebody else was obviously working on this after she left. Is it possible to contact everyone that works at OEMC to see 
if anyone knows about this spreadsheet? 


From{ bs 
Sent: Wednesday, February 13, 2013 7:37 PM b7Cc 
To: 

Subject: 


Started in c 005 OBM in August 42003, ithe she was appointed in March 01, 2005 to b6é 


dept. 058. She resigned in March 15, 2006. b7c 
| believe 058 is the OEMC. 


b6 
b7C 


Department of Innovation and Technology 
City of Chicago 


This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain 
legally privileged and/or confidential information. If you are not the intended recipient of this e-mail (or the person 
responsible for delivering this document to the intended recipient), you are hereby notified that any dissemination, 
distribution, printing or copying of this e-mail, and any attachment thereto, is strictly prohibited. If you have received this 
e-mail in error, please respond to the individual sending the message, and permanently delete the original and any copy 
of any e-mail and printout thereof. 


Rup) (FBI) 


From: ee bé 


Sent: Wednesday, February 13, 2013 9:00 PM b7¢c 

To: 

Subject: 

We are also physically examining the workstations in the QC for the file, but as[___]said the current staff doesn't Be 

recognize it and the Pils have been refreshed within the last two years (after 2009). My guess is that it’s an old b7c 

spreadsheet, developed and maintained by former staff, no longer in circulation mar in use. 

Fron | 

. . 7 b6 

b7C 
b7E 

Subject: Re: 

We had all the Ops people review it and no one recognized it. It would make sense that # would be useful in the OC but 

again, not many pearde around even fram OS. Gps reviewed and like | saic earler, some of it looked familar to some but 

none recagmzed iin total. The OC logo has not been used for at least 5 yeras according to Ons. We'll circulate some 

mare tarnorrow and see if anyone else may know something. 

From b6 

Sent: Wednesday, February 13, 2013 07:40 PM b7c 

To: b7E 


Subject: RE: 


Since the spreadsheet appears to contain information reflecting updates as recent as 2009 (from what I can tell) 
somebody else was obviously working on this after she left. Is it possible to contact everyone that works at OEMC to see 
if anyone knows about this spreadsheet? 


sa] b6 


FBI Chicago b7Cc 
b7E 

From 

Sent: Wednesday, February 13, 2013 7:37 PM 

To: 

Subject: 


Started in dept. 005 OBM in August 42003[ ithe she was appointed in March 01, 2005 to b6 
[ert 058. She resigned in March 15, 2006. b7C 


| believe 058 is the OEMC. 


[| 


Department of Innovation and Technology 
City of Chicago 


b6 
b7C 


This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain 
legally privileged and/or confidential information. If you are not the intended recipient of this e-mail (or the person 
responsible for delivering this document to the intended recipient), you are hereby notified that any dissemination, 
distribution, printing or copying of this e-mail, and any attachment thereto, is strictly prohibited. If you have received this 


e-mail in error, please respond to the individual sending the message, and permanently delete the original and any copy 
of any e-mail and printout thereof. 


| | (RMD) (FBI) 


From: bé 
Sent: Wednesday, February 13, 2013 9:01 PM b7c 


To: 


Subject: Ri 


Same shared drives that will be searched, yes. Unisys will search fle servers in adcition ta email. 


v 


Fromq == = == 
Sent: Wednesday, February 13, 2013 07:56 PM Central Standard Time b6 
b7C 


b7E 


Subject: RE: 


iam curious ta find results of system searches for the fle and email. fs there a common network share? 


Fromy___ bé 
b7C 


Sent: Wednesday, February 13, 2013 7:55 PM or 


Subject: Re: 


We had all the Ops people review if and no one recognized if. if would rake sense that ff would be useful in the OC but 
again, not many people around even from OS. Ops reviewed and like | said earlier, some of Ht looked familiar to sore but 
none recognized it in total, Phe OC foge has not been used for atleast 5 yeras according ta Ops. We'll circulate some 


more tomorrow and see if anyone else may know something. 


b6 
b7C 
b7E 


Since the spreadsheet appears to contain information reflecting updates as recent as 2009 (from what I can tell) 
somebody else was obviously working on this after she left. Is it possible to contact everyone that works at OEMC to see 


if anyone knows about this spreadsheet? 


b6 


sq 
FBI Chi b7C 
b7E 


LUI III ITI III 


Fromg 
b6 


Sent: Wednesday, February 13, 2013 7:37 PM 
To: b7c 
Subjec 


Started in dept. 005 OBM in August 42003, SSS—_—ithen she was appointed in March 01, 2005 to 
[eet 058. She resigned in March 15, 2006. 


i, 


| believe 058 is the OEMC. 


| | 


Department of Innovation and Technology 
City of Chicago 


b6 
b7c 


This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain 
legally privileged and/or confidential information. If you are not the intended recipient of this e-mail (or the person 
responsible for delivering this document to the intended recipient), you are hereby notified that any dissemination, 
distribution, printing or copying of this e-mail, and any attachment thereto, is strictly prohibited. If you have received this 
e-mail in error, please respond to the individual sending the message, and permanently delete the original and any copy 
of any e-mail and printout thereof. 


| (RMD) (FBI) 


Sent: Wednesday, February 15,2013 9:09 PM ae 
To: 


Subject: 


The name listed as “last saved by" is [| 


: seg Se “ g : b6 
i beheve that’s from OEM. Edon‘t know where mulled that name fram. He can call yau if necessary. 
kj y , b7c 


:55 PM Eastern Standard Time 


b6 
b7Cc 
bT7E 


Subject: Re: 


Thanks! 


To: 


Sent: Wed F 54: b6 
Subject: Re b7Cc 


b7E 


He doesn't know if he has it at home. He checking his files. Otherwise, he's calling in at 815 hrs. ff he finds it tondeht, (HY 
forward ta you. 


b6 
b7C 
b7E 


b6 
To: b7c 
Sent: Wed Feb_13 20:49:35 2013 b7E 
Subject: Re: 


[_ 


[us able te get the name of the persan who modified the spreadsheet in ‘OS. i wil see if he has it with him 
unless you already have i. 


From{ b6 
Sent: Wednesday, February 13, 2013 08:45 PM Eastern Standard Time b7c 
Subject: FW 


FYI below. 


a bs 
b7C 


FBI Chicago 


Sent: : 

b6 
To: b7c 
Subject: RE; 


Since the spreadsheet appears to contain information reflecting updates as recent as 2009 (from what I can tell) 
somebody else was obviously working on this after she left. Is it possible to contact everyone that works at OEMC to see 
if anyone knows about this spreadsheet? 


S 
- b6 
FBI Chicago b7Cc 
b7E 


From{_ 


Sent: Wednesday, February 13, 2013 7:37 PM b6 
To: b7c 
Subject: 


Started in dept. 005 OBM in August 4,2003 opener she was appointed in March 01, 2005 to 
[dept 058. She resigned in March 15, 3 b6 


b7Cc 
| believe 058 is the OEMC. 
, b6 
Department of Innovation and Technology bc 


This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain 
legally privileged and/or confidential information. If you are not the intended recipient of this e-mail (or the person 
responsible for delivering this document to the intended recipient), you are hereby notified that any dissemination, 
distribution, printing or copying of this e-mail, and any attachment thereto, is strictly prohibited. If you have received this 
e-mail in error, please respond to the individual sending the message, and permanently delete the original and any copy 
of any e-mail and printout thereof. 


All e-mail to/from this account is subject to official review and is for official use only. Action may be taken in 
response to any inappropriate use his e-mail may contain information b7E 
that is privileged, law enforcement sensitive, or subject to other disclosure limitations. Such information is 
loaned to you and should not be further disseminated without the permission ff sd If you have 
received this e-mail in error, do not keep, use, disclose, or copy it; notify the sender immediately and delete 
it. 
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All e-mail to/from this account is subject to official review and is for official use only. Action may be taken in 
response to any inappropriate et ee es 5] This e-mail may contain information 
that is privileged, law enforcement sensitive, or subject to other disclosure limitatt i ation 1s 
loaned to you and should not be further disseminated without the permission of If you have 


received this e-mail in error, do not keep, use, disclose, or copy it; notify the sender immediately and delete 
it. 


All e-mail to/from this account is subject to official review and is for official use only. Action may be taken in 
response to any inappropriate eee e-mail may contain information 
that is privileged, law enforcement sensitive, or subject to other disclosure limitations. Such information is 
loaned to you and should not be further disseminated without the permission off sdf you have 


received this e-mail in error, do not keep, use, disclose, or copy it; notify the sender immediately and delete 
it. 


b7E 


bT7E 


| rm) (FBI) 


From: 
Sent: Wednesday, February 13,2013 9.29 PM re 
To: b7C 
° b7E 
Subject: RE: Camera Information Disclosure Incident Update 
Based on the camera information 2009 appears to be the last update of any kind to the data. 
b6 
b7C 


Public Safety Information Technology 
Chicago Police/ OEMC 


24 Hr Help Desk: 312-744-DATA 
www.ChicagoPolice.org 


This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain 
legally privileged and/or confidential information. If you are not the intended recipient of this e-mail (or the person 
responsible for delivering this document to the intended recipient), you are hereby notified that any dissemination, 
distribution, printing or copying of this e-mail, and any attachment thereto, is strictly prohibited. If you have received 
this e-mail in error, please respond to the individual sending the message, and permanently delete the original and any 
copy of any e-mail and printout thereof. 


oO ———————— bs 


Sent: Wednesday, February 13, 2013 8:25 PM b7Cc 


Subject: RE: Camera Information Disclosure Incident Update 


just pointed out to me that | think we've all been looking at a slightly modified version of the 
spreadsheet. Modified in that the last modified property in Excel reflects that the last modified date had today's date b6 
which is probably the result of opening it on download and then saving it someplace.[ __ indicated he downloaded bic 
and that the last modified date was in 2009 with a last modified by user Biz 


2 es 


F b7C 
FBI Chicago DIE 
From: 
Sent: Wednesday, February 13, 2013 6:57 PM b6 


Subject: Camera Information Disclosure Incident Update 


All - below are my raw notes as to what we know and what we're doing. Please add/modify/correct as appropriate 


Bridge Info 

888-557-8511 code{ | b7E 
or 

215-446-3649 


concern 


How did this file get loose? 

Was it the result of a breach? Is there an active breach in our environment? 

Was it simply sloppy handling / leakage? 

Can the data in the file be leveraged directly, indirectly or as part of wider information gathering activities? 
What is our current exposure? 


what's known 


1 - file "City and Sister agency camera List.xls" was released on twitter earlier today (oplastresort) 
2 - file contains an inventory of all (?) security cameras within the city 


3 - it appears that all of the data within the file is related to the physical attributes of the cameras and that no network 
inf ion isi b7E 


4 - overall exposure related to file disclosure appears to be low at this time 

5 - metadata on file shows the following 

Author: 

Last modified / CPD 

Created: 19 Jan 2006 

possibleID4 b6 


6 - Unisys has created an "action team" with separate bridge number to coordinate their activities - number will be Bic 

shared once | get it. 

next steps 
b6 
b7C 
b7E 
b6 
b7C 


City of Chicago, Department of Innovation and Technology 


b6 
b7C 


This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain 
legally privileged and/or confidential information. If you are not the intended recipient of this e-mail (or the person 
responsible for delivering this document to the intended recipient), you are hereby notified that any dissemination, 
distribution, printing or copying of this e-mail, and any attachment thereto, is strictly prohibited. If you have received 
this e-mail in error, please respond to the individual sending the message, and permanently delete the original and any 
copy of any e-mail and printout thereof. 


| [Rmp) (FBI) 


From: se 


Sent: Wednesday, February 13, 2013 9:37 PM bé6 
To: b7C 

b7E 
Subject: Re: Camera Information Disclosure Incident Update 


That may i a ( OEM. | can check tomorrow. The today date was probably as you surmised. We saved it to let b6 


rill into the properties. b7c 
no--- Original Message ----- 
From 
Sent: Wednesday, February 13, 2013 08:25 PM nes 
To: bIE 


Subject: RE: Camera Information Disclosure Incident Update 


[sus pointed out to me that | think we've all been looking at a slightly modified version of the 
spreadsheet. Modified in that the last modified property in Excel reflects that the last modified date had today's date b6 


which is probably the result of opening it on download and then saving it someplace[___ indicated he downloaded b7c 
2 TT that the lest modified date was in 2000 WRHislest modified by us’ =D? 


s——J bs 


FBI Chicago b7c 
b7E 


Sent: Wednesday, February 13, 2013 6:57 PM b6 


Subject: Camera Information Disclosure Incident Update 


All - below are my raw notes as to what we know and what we're doing. Please add/modify/correct as appropriate 


Bridge Info 


888-557-8511 code] | b7E 


or 
215-446-3649 


concern 


How did this file get loose? 

Was it the result of a breach? Is there an active breach in our environment? 

Was it simply sloppy handling / leakage? 

Can the data in the file be leveraged directly, indirectly or as part of wider information gathering activities? 


1 


What is our current exposure? 
what's known 
1 - file "City and Sister agency camera List.xls" was released on twitter earlier today (oplastresort) 


2 - file contains an inventory of all (?) security cameras within the city 
3 - it appears that all of the data within the file is related to the physical attributes of the cameras and that no network 


information is included b7E 

4 - OVErall Exposure relate Isclosure appears to be lowat this time 

5 - metadata on file shows the following 

Author 

Last modified / CPD b6 

Created: 19 Jan 2006 b7c 

possible ID 

6 - Unisys has created an "action team" with separate bridge number to coordinate their activities - number will be 

shared once | get it. 

next steps 
b6 
b7C 
b7E 
b6 
b7C 


City of Chicago, Department of Innovation and Technology 


This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain 
legally privileged and/or confidential information. If you are not the intended recipient of this e-mail (or the person 
responsible for delivering this document to the intended recipient), you are hereby notified that any dissemination, 
distribution, printing or copying of this e-mail, and any attachment thereto, is strictly prohibited. If you have received 
this e-mail in error, please respond to the individual sending the message, and permanently delete the original and any 
copy of any e-mail and printout thereof. 

This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain 
legally privileged and/or confidential information. If you are not the intended recipient of this e-mail (or the person 
responsible for delivering this document to the intended recipient), you are hereby notified that any dissemination, 
distribution, printing or copying of this e-mail, and any attachment thereto, is strictly prohibited. If you have received 


2 


this e-mail in error, please respond to the individual sending the message, and permanently delete the original and any 
copy of any e-mail and printout thereof. 


Po bs 
b7E 
FD-302 (Rev. 5-8-10) -l of 1- 


FEDERAL BUREAU OF INVESTIGATION 


Date of entry 03/20/2013 


On_ 02/14/2013, Federal Bureau of Investigation (FBI) Special agent| _| es 
(writer) conducted a preliminary review of the City of Chicago 
Office of Emergency Management (OEMC) file server having the designation 


OEMC-FSO1 and which was located at the OEMC offices at 1411 W. Madison St, 
Chicago, IL. Access to the file server was provided by OEMC system 


b6 
b7Cc 
b7E 


Investigation on 02/14/2013 Chicago, Illinois, United States (In Person) 


Fite 4| | Date drafted 03/20/2013 b3 
b6 

wy SAP p7c 

This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; it and its contents are not b7E 


to be distributed outside your agency. 


oo 
b7E 
UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Import Form 


FD-1036 (Rev. 10-16-2009) 


Form Type: EMAIL Date: 03/20/2013 


to conduct review of additional workstations for 
stolen spreadsheet 


Title: (U) Request 
evidence o 


b6 


CITY OF CHICAGO - VICTIM; 


[ 


Synopsis: (U) 2/22/13 email request to conduct review of additional 


£ 


workstations for evidence of stolen spreadsheet 


Fhe ct 


4 


UNCLASSIFIED 


| (RMD) (FBI) 


From: b6 

Sent: Friday, February 22, 2013 12:25 PM mis 

To: 

Cc: 

Subject: Re: Camera Information Disclosure Incident Update 

To give an update on things, 

The computer associated with avho no longer works here) has apparently been recycled already. The other 

computer belonging t hasn't been looked at yet as doesn't come in til 4. We've left a message with 

nim so that we can try and walk him through checking some things himseif so we can assess the situation further. b6 
b7C 
b7E 
b6 
b7C 


Subject: Re: Camera Information Disclosure Incident Update 


[is just filling me in. bcan ravef | available in the morning if necessary. 


Sent: Thursday, February 21, : b7C 


To: b7E 


Cc: 
Subject: Re: Camera Information Disclosure Incident Update 


The target computers are in the NMC which is staffed by a Unisys sub. 


Sent: Thursday, February 21, : entral Standard Time b7C 


To: b7E 


Ce: 
Subject: Re: Camera Information Disclosure Incident Update 


Mi have to check. Neither name sounds familiar. 


b7C 


Sent: Thursday, February 21, 2013 04:30 PM By 
E 
To: 


Subject: RE: Camera Information Disclosure Incident Update 


Thanks. I’ll plan to be there around 10am then. Can we check to confirm if the employees associated with the 


accounts[|___—=—=——S——————_jare expected to be there tomorrow (or at least their computers will be there?) bé 
b7C 


Speciat AgentL__ si 


FRE Chicago 


From: 

Sent: Thursday, February 21, 2013 4:27 PM 

To b6 
Cc b7c 


b7E 
Subject: Re: Camera Information Disclosure Incident Update 


[ 
Le 


On Feb 21, 2013, at 4:25 PM, [TF wrote: 


Nm copying [duo will be your Haisor as i'm out of town-- will ensure the actions b6 


are followed and will facilitate the conversatian with[ as indicated, b7¢c 
[_] car you provide your contact info forL__ | 
Thx 


b6 
b7C 
b7E 


b7E 


b6 
b7C 
b7E 


Based on where the 


Sent: : b7c 
To: 

Subject: Re: Camera Information Disclosure Incident Update 

Thank you. 

noo-- Original Message ----- 

Sent: Tuesday, February 19, 2013 04:16 PM b6 
| pyc 
Subject: Re: Camera Information Disclosure Incident Update b7E 


We picked up the copy of the file server this moming[ 
ed We'll continue to look at it to see if we can come up with anything else. 


b6 
b7Cc 


Sent: Tue Feb 19 19:11:17 2013 
Subject: RE: Camera Information Disclosure Incident Update 


Any update? Thanks. 


noe Original Message----- 

a be 
Sent: Friday, Februa 25 b7Cc 
To b7E 
Subject: Re: Camera Information Disclosure Incident Update 


It shouldn't affect the server at all. 


b6 
b7c 
Sent: Fri Feb 15 14:23:37 2013 
Subject: RE: Camera Information Disclosure Incident Update 
[_]po you anticipate any interruptions in service while running this? That is my only concern. 
non-- Original Message----- 
Fro b6 
Sent: Friday, February 15, 2013 1:20 PM b7C 
T 
Subject: RE: Camera Information Disclosure Incident Update 
Thanks L Jhavq fall my cell when he gets to the lobby[ dt and we'll bring him up. 
b6é 
b7c 


Public Safety Information Technology 
Chicago Police/ OEMC 


24 Hr Help Desk: 312-744-DATA 


ry 


sew A 


This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain 
legally privileged and/or confidential information. If you are not the intended recipient of this e-mail (or the person 
responsible for delivering this document to the intended recipient), you are hereby notified that any dissemination, 
distribution, printing or copying of this e-mail, and any attachment thereto, is strictly prohibited. If you have 
received this e-mail in error, please respond to the individual sending the message, and permanently delete the 
original and any copy of any e-mail and printout thereof. 


From: b6 
Sent: Friday, February 15, 2013 1:18 PM b7c 
To: b7E 
Subject: RE: Camera Information Disclosure Incident Update 
Gentlemen, 
Our forensic examiner and another agent from my squad. S 1 1 b6 
b7C 
b7E 
Special Agent] 
FBI Chicago b6 
Email: b7c 
Desk b7E 
Fax: 
Annee Ori eer 
From : 
Sent: Friday, February 15, 2013 9:48 AM b6 
To b7C 
Subject: RE: Camera Information Disclosure Incident Update 
10/4 
noo Original Message----- 
From: b6 
Sent: Friday, February 15, 2013 9:36 AM b7C 
To b7E 
Subject: RE: Camera Information Disclosure Incident Update 
Below is the update from Unisys with their email scans. Basically its taking much longer than anticipated and they 
haven't found anything yet. 

b7E 


From: 
Sent: Friday, February 15, 2013 9:32 AM 
To} 


Subject: RE: Camera Information Disclosure Incident Update 


Thanks, 
I'll let you know if we come across anything from the 
forensic image itself. 


Special Agen{__ | 
FBI Chicago 

Email 

Desk 

Fax: 


Subject: RE: Camera Information Disclosure Incident Update 


I talked to 


Public Safety Information Technology 
Chicago Police/ OEMC 


24 Hr Help Desk: 312-744-DATA 


qnnay. Chicago Police or 

This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain 
legally privileged and/or confidential information. If you are not the intended recipient of this e-mail (or the person 
responsible for delivering this document to the intended recipient), you are hereby notified that any dissemination, 
distribution, printing or copying of this e-mail, and any attachment thereto, is strictly prohibited. If you have 
received this e-mail in error, please respond to the individual sending the message, and permanently delete the 
original and any copy of any e-mail and printout thereof. 


From 
Sent: Thursday, February 14, 2013 5:58 PM 
To; 


Subject: RE: Camera Information Disclosure Incident Update 


I will ask them. 


From: 


Sent; Thursday, February 14, 2013 5:57 PM 
tof | 


6 


be 
b7C 
bT7E 


b6 
b7C 
b7E 


b6 
b7C 


b6 
b7C 
b7E 


b6 
b7C 
b7E 


Subject: RE: Camera Information Disclosure Incident Update 


FBI Chicago 
Email 


Subject: RE: Camera Information Disclosure Incident Update 
10/4. Thank you. I contacted CHA with a brief update. Will we[_____|be providing guidance to the affected 
agencies? In particular CHA on what further actions to take. 


From: 
Sent: Thursday, February 14, 2013 4:52 PM 
To 


Subject: Re: Camera Information Disclosure Incident Update 


Just finished imaging the laptop hard drive. I may be able to do a preliminary review tonight but more likely 
tomorrow sometime before I'll have anything to report. 


ent: Thu Fe :20: 
Subject: RE: Camera Information Disclosure Incident Update 


Got it. thx for the update. 


b6 
b7C 
b7E 


b6 
b7Cc 
b7E 


b6 
b7C 
b7E 


b6 
b7C 
b7E 


b6 
b7C 
b7E 


b6 
b7C 
b7E 


b6 
b7C 
bT7E 


Sent: Thu Feb 14 09:57:09 2013 
Subject: Re: Camera Information Disclosure Incident Update 


Thanks 


b6 
b7Cc 
b7E 


b6 
b7C 
b7E 


ent: Wed Fe 364 3 
Subject: Re: Camera Information Disclosure Incident Update 


That may be n OEM. I can check tomorrow. The today date was probably as you surmised. We saved it b6 
to let rill into the properties. b7c 


b6 
b7C 
b7E 


just pointed out to me that I think we've all been looking at a slightly modified version of 
the spreadsheet. Modified in that the last modified property in Excel reflects that the last modified date had today's b6 


date which is probably the result of opening it on download and then saving it someplace. [__ indicated he b7c 
downloaded the file nd that the last modified date was in 2009 with a last b7E 
modified by user 


sf 

FBI Chicago b6 
b7C 
b7E 

: b6 

Subject: Camera Information Disclosure Incident Update b7c 

All - below are my raw notes as to what we know and what we're doing. Please add/modify/correct as appropriate 

Bridge Info 

888-557-8511 code:|___| bIE 

or 


215-446-3649 


concem 


How did this file get loose? 

Was it the result of a breach? Is there an active breach in our environment? 

Was it simply sloppy handling / leakage? 

Can the data in the file be leveraged directly, indirectly or as part of wider information gathering activities? 
What is our current exposure? 


what's known 


1 - file "City and Sister agency camera List.xls" was released on twitter earlier today (oplastresort) 

2 - file contains an inventory of all (?) security cameras within the city 

3 - it appears that all of the data within the file is related to the physical attributes of the cameras and that no network 

information is include bT7E 


4 - overall exposure related to file disclosure appears to be low at this time 

5 - metadata on file shows the following 

Author{ ___ b6 
Last modified / CPD b7C 
Created: 19 Jan 2006 

possible ID 

6 - Unisys has created an "action team" with separate bridge number to coordinate their activities - number will be 

shared once I get it. 


next steps 


b6 
b7Cc 
b7E 


b6 
b7C 


ity 0 cago, Department of Innovation and Technology 


This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain 
legally privileged and/or confidential information. If you are not the intended recipient of this e-mail (or the person 
responsible for delivering this document to the intended recipient), you are hereby notified that any dissemination, 
distribution, printing or copying of this e-mail, and any attachment thereto, is strictly prohibited. If you have 
received this e-mail in error, please respond to the individual sending the message, and permanently delete the 
original and any copy of any e-mail and printout thereof. 

This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain 
legally privileged and/or confidential information. If you are not the intended recipient of this e-mail (or the person 
responsible for delivering this document to the intended recipient), you are hereby notified that any dissemination, 
distribution, printing or copying of this e-mail, and any attachment thereto, is strictly prohibited. If you have 
received this e-mail in error, please respond to the individual sending the message, and permanently delete the 
original and any copy of any e-mail and printout thereof. 


pT = 
b7E 
UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Import Form 


FD-1036 (Rey. 10-16-2009) 


Form Type: EMAIL Date: 03/20/2013 


Title: (U) Summary of malware identified on OEMC file server 


b3 
prafted By: saL___ ts 
b7Cc 


b7E 
Case ID #: [ (U) UNSUB - SUBJECT; 


CITY OF CHICAGO - VICTIM; 


Synopsis: (U) Summary of malware identified on Office of Emergency 
Management and Communications file server 


o¢ 


UNCLASSIFIED 


b6 


b7C 
b7E 
SA 
FBI Chicago bs 
b7C 
b7E 
Fromf be 
Sent: Tuesday, February 19, 2013 6:33 PM b7c 
aE 
Subject: Re: Camera Information Disclosure Incident Update 
b6 
b7C 
b7E 
We picked up the copy of the file server this morning. 
aa We'll continue to look at it to see if we can come up with anything else. 
b6 
Sent: Tue Feb 19 19:11:17 2013 b7c 
Subject: RE: Camera Information Disclosure Incident Update 
Any update? Thanks. 
noe Original Message----- 
From 
Sent: Friday, February 15, 2013 1:25 PM b6 
To: b7C 
Subject: Re: Camera Information Disclosure Incident Update b7E 
It shouldn't affect the server at all. 
Subject: RE: Camera Information Disclosure Incident Update b6 
b7c 


[Do you anticipate any interruptions in service while running this? That is my only concern. 


2 


From b6 


Sent: Friday, February 15, 2013 1:20 PM b7c 
rd 
Subject: RE: Camera Information Disclosure Incident Update 


Thanks___] have [call my cell when he gets to the lobby[ and we'll bring him up. b6é 


b7C 
=a 


Public Safety Information Technology 


Chicago Police/ OEMC 
b6 
b7Cc 
24 Hr Help Desk: 312-744-DATA 
www. CbhicazoPalice org 
This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged 
and/or confidential information. If you are not the intended recipient of this e-mail (or the person responsible for delivering this 
document to the intended recipient), you are hereby notified that any dissemination, distribution, printing or copying of this e-mail, 
and any attachment thereto, is strictly prohibited. If you have received this e-mail in error, please respond to the individual sending the 
message, and permanently delete the original and any copy of any e-mail and printout thereof. 
From: b6 
Sent_ Friday, Februa : b7C 
Subject: RE: Camera Information Disclosure Incident Update 
Gentlemen, 
Our forensic examiner and another 
agent from my squad, SA|———__—s| will be planning to be at OEMC at 2PM. b6 
b7Cc 
b7E 


FBI Chicago b7c 
Email b7E 
Desk 

Fax: 


b6 
b7c 
b7E 
10/4 
non=- Original Message----- 


re b6 
Sent: Friday, February 15, 2013 9:36 AM b7c 
T b7E 


Subject: RE: Camera Information Disclosure Incident Update 


Below is the update from Unisys with their email scans. Basically its taking much longer than anticipated and they haven't found 
anything yet. 


b7E 


wens Original Message----- 
Sent: Fri : b7c 
b7E 


ubject: RE: Camera Information Disclosure Incident Update 


Thanks 
et you Know if we come across anything from the forensic image itself. 


Special Agent{_ 


FBI Chicago 
oe b6 
Faxt b7C 
i b7E 
----- Original M ----- 
From: 
Sent: Friday, February 15, 2013 9:24 AM b6 
To: b7c 
b7E 
Subject: RE: Camera Information Disclosure Incident Update 
I talked t 
b6 
b7Cc 
: : b7E 
Public Safety Information Technology 
Chicago Police/ OEMC 
b6 
24 Hr Help Desk: 312-744-DATA bic 


y 


www. ChicagoPolice ore 


This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged 
and/or confidential information. If you are not the intended recipient of this e-mail (or the person responsible for delivering this 
document to the intended recipient), you are hereby notified that any dissemination, distribution, printing or copying of this e-mail, 
and any attachment thereto, is strictly prohibited. If you have received this e-mail in error, please respond to the individual sending the 


4 


message, and permanently delete the original and any copy of any e-mail and printout thereof. 
From 

Sent: Thursday, February 14, 2013 5:58 PM 

To 

Subject: RE: Camera Information Disclosure Incident Update 

I will ask them. 

From: 

Sent: Thursday, February [4, 


To 


Subject: RE: Camera Information Disclosure Incident Update 


Ti) 


Special Agen[__ 
FBI Chicago 

Email: 

Desk 


Fax: 


ubject. RE: Ormation Disclosure Incident Update 


10/4. Thank you. I contacted CHA with a brief update. Will we[__e providing guidance to the affected agencies? In 
particular CHA on what further actions to take. 


From 
Sent: Thursday, February 14, 2013 4:52 PM 
To: 


Subject: Re: Camera Information Disclosure Incident Update 


Just finished imaging the laptop hard drive. I may be able to do a preliminary review tonight but more likely tomorrow sometime 
before I'll have anything to report. 


Sent: Thu Feb 14 12:26:38 2013 
Subject: RE: Camera Information Disclosure Incident Update 


Got it. thx for the update. 


To: 


b6 
b7C 
b7E 


b6 
b7Cc 
b7E 


b6 
b7C 
b7E 


b6 
b7c 
bT7E 


b6 
b7C 
b7E 


b6 
b7C 
b7E 


b6é 
b7C¢ 
b7E 


-_ a = Best Disclosure Incident Update 


look at the server 


Sent: Thu Feb 14 09:57:09 2013 
Subject: Re: Camera Information Disclosure Incident Update 


Thanks 


Sent: Wed Feb 13 21:36:46 2013 
Subject: Re: Camera Information Disclosure Incident Update 


That may beL___in OEM. I can check tomorrow. The today date was probably as you surmised. We saved it to let{_—_Jaritl 
into the properties. 


ubject: RE: Camera Information Disclosure Incident Update 


just pointed out to me that I think we've all been looking at a slightly modified version of the 
spreadsheet. Modified in that the last modified property in Excel reflects that the last modified date had today's date which is probably 
the result of opening it on download and then saving it someplace.[____Jindicated he downloaded the file 
land that the last modified date was in 2009 with a last modified by user 


SA 


FBI _ 


b6 
b7C 
b7E 


b6 
b7Cc 
b7E 


b6 
b7C 
b7E 


b6 
b7C 
b7E 


b6 
b7C 


b6 
b7C 
b7E 


b6 
b7C 
b7E 


b6 
b7C 
b7E 


From: re 
Sent: Wednesday, February 13, 2013 6:57 PM bic 
T 

Subject: Camera Information Disclosure Incident Update 


All - below are my raw notes as to what we know and what we're doing. Please add/modify/correct as appropriate 


Bridge Info 

888-557-8511 coaf | bIE 
or 

215-446-3649 


concem 


How did this file get loose? 

Was it the result of a breach? Is there an active breach in our environment? 

Was it simply sloppy handling / leakage? 

Can the data in the file be leveraged directly, indirectly or as part of wider information gathering activities? 
What is our current exposure? 


what's known 


1 - file "City and Sister agency camera List.xls" was released on twitter earlier today (oplastresort) 

2 - file contains an inventory of all (?) security cameras within the city 

3 - it appears that all of the data within the file is related to the physical attributes of the cameras and that no network information is 

include b7E 


4 - overall exposure related to file disclosure appears to be low at this time 
5 - metadata on file shows the following 


Author b6 

Last modified / CPD b7Cc 

Created: 19 Jan 2006 

possible ID 

6 - Unisys has created an "action team" with separate bridge number to coordinate their activities - number will be shared once I get it. 

next steps 
b6 
b7C 
b7E 
b6 
b7C 


City of Chicago, Department of Innovation and Technology 


This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged 
and/or confidential information. If you are not the intended recipient of this e-mail (or the person responsible for delivering this 
document to the intended recipient), you are hereby notified that any dissemination, distribution, printing or copying of this e-mail, 


7 


and any attachment thereto, is strictly prohibited. If you have received this e-mail in error, please respond to the individual sending the 
message, and permanently delete the original and any copy of any e-mail and printout thereof. 

This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged 
and/or confidential information. If you are not the intended recipient of this e-mail (or the person responsible for delivering this 
document to the intended recipient), you are hereby notified that any dissemination, distribution, printing or copying of this e-mail, 
and any attachment thereto, is strictly prohibited. If you have received this e-mail in error, please respond to the individual sending the 
message, and permanently delete the original and any copy of any e-mail and printout thereof. 


_—————— : 
b7E 
UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Import Form 


FD-1036 (Rey. 10-16-2009) 


Form Type: EMAIL Date: 03/20/2013 


Title: (U) Case status update as of 2/13/13 


b3 
b6 


b7E 
case ip#:[————Ss(U)s SUB - SUBJECT; 
CITY OF CHICAGO - VICTIM; 
Synopsis: (U) Case status update as of 2/13/13 emailed from SA 
b7Cc 
4 


UNCLASSIFIED 


| | b6 
RMD) (FBI) b7C 


From: LT ] 

Sent: Wednesday, February 13, 2013 7:13 PM 
To: 

Subject: status update 


Just concluded call. We are going to have a follow up in 1 hr to report any updates. Current situation is as follows: 


- Spreadsheet contains legitimate information. The source from which the spreadsheet was obtained and how it was 
obtained are still unknown. 


b7E 


City of Chicago's CISO assessed the risk posed to the city by a network based attack based only off 
of the information in the spreadsheet as low. 


- Chicago IT personnel are going to begin searching email and file servers to attempt to find where the exfiltrated 
spreadsheet resides on Chicago's systems to give a starting point from an investigative perspective. 


- Author of spreadsheet appears to be a nd spreadsheet was initially created in 20 ile bé6é 
roperties. Some confusion at this point wh is and what her role with city is/was. There is b7c 
nd city is making inquiries to ascertain if this is the same 


person. 


- Advised City of Chicago personnel that the FBI would be opening an investigation into this matter. 


5 eae call which had personnel from = B7E 
ity of Chicago CIO's office, OEMC, and CPD on the call. 


- Twill emaill___]to let him know that there may be a need for on-site imaging tomorrow depending on what we find in pé6 


terms of where this spreadsheet was pulled from. b7c 
SA 
FBI Chi 
b6 
b7C 


b7E 


< 
b7E 
UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Import Form 


FD-1036 (Rev. 10-16-2009) 


Form Type: EMAIL Date: 03/20/2013 
Title: (U) Email from[ (CPD) r.e. stolen city of chicago 
spreadsheet 


b6 


Case ID #: [ (U) UNSUB - SUBJECT; b3 


CITY OF CHICAGO - VICTIM; b7E 


Synopsis: (U) Email from cpepL___ J received 


02/13/13 which advised that City of Chicago spreadsheet had been posted se 


via Twitter via twitter handle @OpLastResort. Spreadsheet specifically b7c 
posted to b7E 
o¢ 


UNCLASSIFIED 


| |(RMD) (FBI) b6 
b7C 


From: 

Sent: Wednesday, February 13, 2013 5:48 PM 
To: 

Subject: RE: Tweet 

Attachments: City and Sister agency camera List.xls 


(I am attaching the actual spreadsheet that the URL downloads, you can see the sensitivity) 


b6 
b7C 


Public Safety Information Technology 
Chicago Police/ OEMC 


24 Hr Help Desk: 312-744-DATA 


www, ChicagoPollce or 


This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential 
information. If you are not the intended recipient of this e-mail (or the person responsible for delivering this document to the intended recipient), you are hereby 
notified that any dissemination, distribution, printing or copying of this e-mail, and any attachment thereto, is strictly prohibited. If you have received this e-mail in 
error, please respond to the individual sending the message, and permanently delete the original and any copy of any e-mail and printout thereof. 


SSAA SS RLEEREELEEEEELUALEEL ALES ELA DEALS EL LALLA EAE LASS LMA SEEDS ESE IAS SEE EE EEE EE se sess EEE SIE ES SESE ESI IS EMESIS ESSIEN ESSE ESSN ESSN SSSASS SNES SSS SSS 


From{__ bé 


Sent: Wednesday, February 13, 2013 4:47 PM b7c 
b7E 
Subject: RE: Tweet 
commande| | 
in . A res : . ; one ray 23 er, 6 
This is something the Crirninal Cyber squad may be able te assist with. [| have CC’d them in the event they are not in the pyc 


office, b7E 


[} commander[__] is with Chicago PD and was our POC far thel ec. is this something you guy 


can track dawn? 


Thanks, 


Sent: Wednesday, February 13, Bie 
Subject: > Twee 


[| 


Is this something you can assist with? 


Thx 
b6 
b7Cc 
Public Safety Information Technology 
Chicago Police/ OEMC 
b6 
b7C 


This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential 
information. If you are not the intended recipient of this e-mail (or the person responsible for delivering this document to the intended recipient), you are hereby 
notified that any dissemination, distribution, printing or copying of this e-mail, and any attachment thereto, is strictly prohibited. If you have received this e-mail in 
error, please respond to the individual sending the message, and permanently delete the original and any copy of any e-mail and printout thereof. 


Sent: Wednesday, February 13, 2013 4:31 PM 
Subject: Twee 


[ 


| received information from a reliable source concerning the below tweet and the possible compromise of camera 
system. Sending it your way for review to determine the validity. 


“OpLastResort 
@OpLastResort 


Ha #AaronSwartzDay. Details of every security camera in Chicago: 
pte ee ee: | ae 


Watch The Watchers... #opLastResort b7Cc 
Reply Retweet Favorite More b7E 
33 

RETWEETS 

10 

FAVORITES 

8:33 AM - 11 Feb 13 

11 Feb 

@OpLastResort That's Brilliant, that! Bravo. bé 
Details" 


b7C 


Bureau of Patrol 


This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain 
legally privileged and/or confidential information. If you are not the intended recipient of this e-mail (or the person 


2 


responsible for delivering this document to the intended recipient), you are hereby notified that any dissemination, 
distribution, printing or copying of this e-mail, and any attachment thereto, is strictly prohibited. If you have received this e- 
mail in error, please respond to the individual sending the message, and permanently delete the original and any copy of 
any e-mail and printout thereof. 


Ed 
b7E 
UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Electronic Communication 


FD-1057 (Rev. 5-8-10) 


Title: (U) Document disposition of evidence items Date: 09/23/2015 
1B1 and 1B2 


b7C 


From: CHICAGO 
CG-CY-3 


b6 


b7C 


Case ID #: [ (U) UNSUB - SUBJECT; 


CITY OF CHICAGO = VICTIM; 


Synopsis: (U) Document disposition of evidence items 1Bl1 and 1B2 
Full Investigation Initiated: 02/15/2013 


Enclosure(s): Enclosed are the following items: 


ane (U) FD-1004 for 1Bl1 
25 (U) FD-1004 for 1B2 
Details: 


On 08/03/2015 at 1:00 PM CDT, the following evidence items were 


disposed of via forensic wiping: 


Item 1B1, 500GB Western Digital HDD S/N WXD1A71A8938, barcode E5233604 
Item 1B2, 2TB Western Digital HDD S/N WMAY05245773 barcode E5233605 


A 1A package containing the original FD-1004 chain of custody forms 


has been included in the file. 


UNCLASSIFIED 


Tastee: 


(U) 


[ 


UNCLASSIFIED 


Document disposition of evidence items 11 


BI 


and 1! 


B2 


res) 09/23/2015 


o¢ 


UNCLASSIFIED 


2 


b3 
b7E 


Sentinel! Working Copy 


= = 


Evidence Details 


Case: 
1B1 


Description: 


(U) S500GB Western Digital hard drive S/N WXD1A71A8938 c 


forensic image (E01) of computer hard drive assigned to 


(OEMC) 


Acquired On: 


Receipt ltem #: 


CART Information 
Type 


Number Collected 


Discovery Location 
Area: 


Specific: 


[ 


Item: 


02/14/2013 05:00 PM CST Eligible for Forfeiture: 


None 


Mass Storage Device 


1 


1411 W. Madison St, 
Chicago, IL 
OEMC 


Anticipated Disposition 


Storage Information 
Holding Office: 


None on None 


CHICAGO 


No 


Special Handling: 


None 


Hazardous Materials: 


None 


Batteries Charged 


No 


Acquired by CART 


Yes 


SA 


None 


Finalized Bys[__ 


Location: 


E03929001 - ECRI1, 


ae Barcode #: 
Chain of Custody 
Shipping / Transfer Log 


History 


E5233604 


Acquisition Event Details 


Acquisition Event: 


(U) Aquisition of forensic image (E01) 


assigned to 


] of 2 


(OEMC) 


None 


of computer hard drive 


Coll 


ROW, ACCORDIANSUCFN ORDER 


d By: 


Others: 


Last Inventory: 


= 


b7E 


b6 
b7C 


b6 
b7C 


b6 
b7Cc 


b6 
b7C 


3/11/2013 3:49 PM 


FD-1004 FEDERAL BUREAU OF INVESTIGATION 
bea EVIDENCE CHAIN-OF-CUSTODY 


Evidence Type: O General O Drug QO Firearm/Weapon 
L+CART C] Valuable O Firearm/Other 


. Special Handling Instructions Initial Receipt 


b6 
O Batteries C] Biohazard  FGJ re a b7Cc 
O HAZMAT O Latents O Refrigerate : 
O Req. Charging None Eee eral OO EM 
O Other Bec ee) 


Date and Accepted Custody = “Date and 
Time | Time 


A b6 


Accepted Custody « 7, Date and : 
Time _. Time b6 
he adr si 
, ied 


Date and Accepted Custody ' Date and 
Time |. Time b6 

b7C 
a 


Reason Q Esra ED 
nquished Custody 


 Reli Date and Accepted Custody . et Date and 
Time ‘|: Time — 


a 


Printed Name: Printed Name: 


Relinquished Custody Date and Accepted Custody Date and 
Time |. Time 


Printed Name: Printed Name: 


Firearms Certification: 
Printed Name: Signature: Date: 


Case vo s—sdY 1B: cat AS Barcode: ES Z 396 0 wi cae 


b7C¢ 
bTE 


Sentinei Working Copy 


Evidence Details 


Description: 


1B2 


(U) 2TB Western Digital hard drive bearing S/N WMAY05245773 
containing logical image of OEMC file server. 


Acquired On: 02/19/2013 10:15 AM CST Eligible for Forfeiture: 


Receipt Item #: None 


CART Information 


Type Mass Storage Device 


Number Collected 1 


Discovery Location 
Area: 1411 W. Madison St, 
Chicago, IL 
Specific: OEMC 


Anticipated Disposition 
None on None 


Storage Information 
Holding Office: CHICAGO 


b3 
b7E 
Item: 
No 
Special Handling: 
None 
Hazardous Materials: 
None 
Batteries Charged 
No 
Acquired by CART 
Yes 
Collected By: 
SA b6 
Others: Bie 
None 


b6 
Finalized By: [__ |Last inventory: | Ic 


Location: 


None 


E03929001 - ECR1, ROW, ACCORDIANSUCFN ORDER 


ye Barcode #: E5233605 
Cfiain of Custody 
Slipping / Transfer Log 
History 
Acquisition Event Details 


Acquisition Event: 


(U) Aquisition of logical image of OEMC file server 


Acquired By: 
SA 


1 of 2 


b6 
b7C 


3/11/2013 3:56 PM 


FD-1004 FEDERAL BUREAU OF INVESTIGATION 
popes EVIDENCE CHAIN-OF-CUSTODY 


Evidence Type: OU General O Drug O Firearm/Weapon 
AX CART O Valuable O Firearm/Other 


| Special Handling Instructions __ Initial Receipt 


O Batteries O Biohazard O FGJ b7c 
XO HAZMAT CO] Latents O Refrigerate | Printed Name] 

O Req. Charging None Printed Name 

5 Other 


Relinquished Custody Accepted Custody. 


: Z oi Cri cee b6 
_1& 
ee reel ee! 
Reason: Chee (A Reason: 


ye Relinquished Custody 


b6 
b7C 


Relinquished Custody Accepted Custody 


ald 


; 


| -Reling hed stody < Sie Accepted Custody — vs 


ee 


Printed Name: Printed Name 


~ Relinquished Custody bere Accepted Custody oe 
. Time 7 


Firearms Certification: 


Printed Name: Signature: Date: 


Case old IB: 2 Barcode: BZ 6225 b3 


bT7E 


FD-340a (Rev. 1-27-03) 


Ib7E 
ile No. q 
Item Date To be returned Disposition 
, Filed Yes No — 
be iz 41 (U) Excel spreadsheet search results _Digital 
: 2 >(U) CD-R containing malware analysis results _ ‘Physical bvE 
Bia 3 (U) Consent to search computer form ‘Digital and Physical 


ES 


(U) Consent to search computer form 


(ud 


‘Digital and Physical 


t 
Hl 


Digital 


5 
6 ((U) 2-13-13 email communications ‘Digital | DIE 


ar ae ae 
Va Digital 


j 


FD-340 (Rev. 4-11-03) 


@ 


File Number 


Field Office Acquiring Evidence ee oe 


c 


Serial # of Originating Document 


zle ls. 


Date Received 


(Name of Contributor/Interviewee) 


(Address) 


(City and State) 


To Be Retumed [1 Yes “TI No 
pea 
Receipt Given, [1 Yes L] No 


Grand Jury Material - Disseminate Only Pursuant to Rule 6 (e) 
Federal Rules of Criminal Procedure 


C] Yes 
Federal Taxpayer Information (FTI) 


EFNo 
[1 Yes an - 


Title: s : &. 
UNGUs - SUBUIECT! 
C.CTY oF CHHCABO — 
Reference: ; : 
(Communication Enclosing Material) 
Description: [1 Original notes re interview of 


Ch- RB. eyytoaum 


SB ot 


- From _ ait ALIUAe= ANU ALYSI > ; 


By A | | | | 


A tee 


ANOS ERE ore ar acai 
“ 


ne 


b7E 


e 


“b6 
b7c 


“b3 
b7E 


bTE 


% c 
FD-340 (Rev. 4-11-0 = ; b3 

: —_ b7E 
File Number : ¥ ‘ 


Field Office Acquiring Evidence ct ; : 7 : 


penal # of Originating Document : t 
Date Received Ge. rf - _ 
= Se ee b6 


(Name of Contributor/Interviewee) 


(Address) : 3 > 


Chas 


ce ie 


bé 
b7C 

By £ 

To Be Returned [] Yes ET No q 

Receipt Given [] Yes ee LENG 


Grand Jury Material - Disseminate Only Pursuant to Rule 6 ©) 
Federal Rules of Criminal Procedure 


[1 ves At No 
Federal Taxpayer Information (FTI) 


| Yes Erno ~ 


Title: way, Re Sv Ser, i : 
CY oF CH CALO- “LCT | 
i '. bIE 
fa, 7 : 
Reference: 


(Communication Enclosing Matertal) 


_ Description: oO Original notes re interview of 


Conseat bo Sear. compubes Lown 


Seen eee 


as wee ae i + Bem, i3 
Age Wise ay eee 2h : ! 


ey os eee = 2 
FD340b (Rev. 4:11-03) | eee , 


eS «. Mn 
} I b3 
gE‘! gh b7E 
Bile Number £ 


Field Office Acquiring Evidence 


Serial # of Originating Dacumept 


Date Received 
b6 


From b7C 


[441 Wu. Mad 2 an St q 
(Address). j 


— Chicewp, TL 


(City and State) cf y 
; : . be 


To Be Returned [] Yes —fT wo 
Receipt Given (] Yes EI-No 
Grand Jury Material - Disseminate Only Pursuant to Rule 6 (e) 
Federal Rules of Criminal Procedure 

C) Yes TT No 
Federal Taxpayer Information (FTI) . : ; é ‘ 

{] Yes CLT No 
ile: UNE - SURIECr 
CITYORC Hi cAio-Uicrun 
3 BS 
. - BIE 
Reference: 

(Communication Enclosing Material) 


Description: _ (1 Original notes re interview of . 
1 b6 


Consenk-lo sear fec P| ; ; ; b7Cc 
: : ae A 
L tee, . 
Roa : 
hg ; 
: ; 


cate 


C ie 


FD-340b (Rev. 4-11-03) 


Field Office Acquiring Evidence Ck 
Serial # of Originating Document 
Date Received (2: f 


From 
(Name of Contributor. Interviewee) 


" (Address) 


(City and State) 


To Be Returned CL] Yes —Et-No 


Receipt Given L] Yes te); No 
Grand Jury Matcrial - Disseminate Only Pursuant to Rule 6 (c) 
Federal. Rules of Criminal Procedure 


CI Yes EF-No 


Federal Taxpayer Information (FTI) 


L] Yes a < 


Title: 


Reference: 
(Communication Enclosing Material) 


Description: C] Original notes re interview of 


F)- 100 S.A, TBD 


b7E 


b6 
b7C 


Sentinel, Working Copy [ 
om RR 


b3 
od 
Evidence Details bTE 
1B1 
Description: ‘ 
(U) 500GB Western Digital hard drive S/N WXD1A71A8938 co ini 
forensic image (E01) of computer hard drive assigned to b6 
(OEMC) b7C 
Acquired On: 02/14/2013 05:00 PM CST Eligible for Forfeiture: 
No 
Receipt Item #: None Special Handling: 
None 
Hazardous Materials: 
None 
CART Information 
Type Mass Storage Device Batteries Charged 
No 
Number Collected 1 Acquired by CART 
Yes 
Discovery Location 
Area: 1411 W. Madison St, : Ke 
Chicago, IL SA BG 
Specific: OEMC Others: < 
None 


Anticipated Disposition 
None on None 


Storage Information 
Holding Office: CHICAGO 


None b7c 


Location: 
#03929001 -~ ECR1, ROW, ACCORDIANSUCFN ORDER 


a Barcode #: E5233604 
Chain of Custody 
Shipping / Transfer Log 
fiistory 


Acquisition Event Details 


Acquisition Event: 
(U) Aquisition of forensic image (E01) of computer hard drive 
assigned tof (OEMC) b6 
b7Cc | 


1 of 2 3/11/2013 3:49 PM | 


! 


Sentinel Working Copy 


2 of 2 


Acquired By: 
SS 


Acquired Erom: 
(U) CART FE 


Acquired On: 
02/14/2013 


Receipt Given: 
No 


Holding Office: 
CHICAGO 


Evidence Log: 


{| 


b3 
b7E 


3/11/2013 3:49 PM 


_ FD-1004 FEDERAL BUREAU OF INVESTIGATION 
We onie EVIDENCE CHAIN-OF-CUSTODY 


Evidence Type: © General O Drug O Firearm/Weapon 
LI-CART CO Valuable QO Firearm/Other 


il 
C1 Req, Charging C1None a 
O Other Rea rae 


Relinquished Custody Accepted Custody 
- Time 


Signature: | alt 
318 PM 
Printed Name:] 


Reason: CHYACGE IA’ Reason: eS 


b6 
b7C 


O Batteries O Biohazard O FGJ 
O HAZMAT O Latents QO Refrigerate 


Printed Name: 
C O 


Date and | 
Time 


Signature 


rg 
. 
= 
oO 
O. 
& 
3 
@ 


Time Time bé 
alee, 
Rea ID 

Time Time b6 

: b7C 
aaa 
Pinca] dd oo 
Reason: 9 Egr@o7ED 
- Time _ Time 

Time | — Time 
Prince id 
Firearms Certification: 

Printed Name: Signature: Date: _- 
Case re 1B: =, Barcode: E523 SE OY ea 
b7¢ 


b7E 


EVIDENCE CHAIN-OF-CUSTODY } 


Continuation Page - 


Time Time 


Date and Accepted Custody Date and 
Time Time 


Printed Name: 


Relinquished Custody Date and | Accepted Custody ee and 
Time ee 


lPrinedName; = Name: Printed PrintedName; = 


Reason: Reason: 


Reason: 


Relinquished Custody Date and Accepted Custody Date and 
Time Time 


=i 


[printedNames Name: 


eine ay ee leone 


Time Time 
[Signe 
IReso: PRewoke oc | 


| Time Time 
————E signe: = 
Reson SReoHe sk. anes el 


Case JD: IB: Barcode: bE 


% as 
b3 
M Evidence Details b7E 
1B2 
Description: 
(U) 2TB Western Digital hard drive bearing S/N WMAY05245773 
containing logical image of OEMC file server. 
Acquired On: 02/19/2013 10:15 AM CST Eligible for Forfeiture: 
No 
Receipt Item #: None Special Handling: 
None 
Hazardous Materials: 
None 
CART Information 
Type Mass Storage Device Batteries Charged 
No 
Number Collected 1 Acquired by CART 
Yes 
Discovery Location 
Area: 1411 W. Madison St, : 
Chicago, IL SA b6 
Specific: OEMC ers: b7c 
None 
Anticipated Disposition 
None on None 
Storage Information 
Holding Office: CHICAGO 
Finalized By: [—_] _ Last Inventory b6 
None b7c 
Location: 
E03929001 - ECR1, ROW, ACCORDIANSUCFN ORDER 
—s Barcode #: #5233605 


Thidin of Custody 
Shipping / Transfer Log 
Fiistory 


Acquisition Event Details 


Acquisition Event: 
(U) Aquisition of logical image of OEMC file server 


Acquired By: . 
b7C 


1 of2 3/11/2013 3:56 PM 


Sentinel Working Copy 


Acquired From: 
(U) CART F 


Acquired On: 
02/19/2013 


Receipt Given: 
No : 


Holding Office: 
CHICAGO 


Evidence Log: 


{| 


_ 20f2 


b3 
b7E 


3/11/2013 3:56 PM 


ED-1004 FEDERAL BUREAU OF INVESTIGATION 
apn | EVIDENCE CHAIN-OF-CUSTODY 


2 
: 


Printed Name: Lem 
Reason: ENCED [Reason 


Relinquished Custody 


ile ar 


Signature: 
Printed Name: Printed Name: 


Accepted Custody ' Date and 
Time 


Signature ————— 


Relinquished Custody 


Printed Name: 


Printed Name: 
Firearms Certification: 


Printed Name: Signature: Date: 


Case df Cd 1B: Oh: Barcode: E52 3 3 62 a b3 


iar : 
Bp 

3 

fo) 


Reason: 


Evidence Type: O General O Drug QO Firearm/Weapon 
AX CART C Valuable O Firearm/Other 
Special Handling Instructions Initial Receipt Date and 
: ft Time b6 
; b7c 
O Batteries O Biohazard O FGJ Signature: 
O HAZMAT O Latents O Refrigerate 
O Req. Charging None 
Relinquished Custody Date and Accepted Custody Date and . 
. Time MS Time bé : 
BIG. 
pn gen i 
fmineanemd | He 
Reason: CAleGe (A 
Relinquished Custody Dateand | 
Time b6 
ome] nn 
prineanme | a et DBinwtvmes | «d te 
Reason: el 
Relinquished Custody Date and Accepted Custody Date and 
b7c . 


b7E | 


